Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Home - Web Application Security Consortium
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Wed, 30 Jun 2004 10:13:18 -0700

On Tuesday, June 29, 2004, at 08:08  PM, Arian J. Evans wrote:

So you were agreeing with me in your response?

How WASC going to play with OWASP? Time will tell, but in my opinion
the more web application security awareness the better. The fundamental
hurtle we have in the industry is education, not the lack of available
solutions. Once the problem is known and understood, applying solutions
is often easy.

I guess it strikes me as odd since OWASP is so well known; clients that
don't understand any of the concepts you mentioned or know who SPI/Whitehats
are frequently know of OWASP. And have downloaded the Top 10.

It seems strange not to have used that vehicle for awareness, since it is
already generating awareness and effectively educating many people. I
fail to see how yet another consortium will help education.

Your right, it probably looks strange that there are two groups which are similar in nature. Though this is a common occurrence in the industry.

When WASC formed, we knew ahead of time the projects we wanted to focus on (2 mentioned earlier). We also knew what we were looking to achieve in the future. Taking this into account, as a group we chose not to leverage the visibility of an existing organization. We decided to differentiate and be judged through our deliverables as they are made available.

I'd also like to point out that participation in WASC or OWASP is not mutually exclusive. There are participants in WASC who are or have been members of OWASP. The same is true in reverse. It is a community.

But it is a free world; you undoubtedly have your reasons and I don't like
people putting their nose into my business, so...

I have no vested interested one way or the other in OWASP. My concern
is more around a vendor FUD/hype vehicle, as you probably detected.

Your concerns are completely valid. Especially since both organizations are dominated by vendors of all varieties. We'd all to see the industry mature beyond where it is today. As I said before, aware and education is an essential step toward applying effective solutions. Healthy skepticism is encouraged as it provides the checks and balances necessary for a successful endeavor.

I think I hit all the points, hope this helps.

Thanks for explaining. Looking forward to the output of your collective efforts.

Disappointed it's not a community effort, but I also understand how slow
and unfruitful collective community efforts can be.

I don't know about disappointing, both are essentially open community efforts moving in a similar direction. But as an industry I believe we've been slow to work together and accomplish things. More groups will help speed things along. In my personal opinion, more choice for the user equals better overall results. From CERT to CISecurity to ISC2 to ISECOM, I'm sure WASC and OWASP wont be the only two groups in the future.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]